Perhaps they're implementing OAuth... I'm curious as to how DotABuff is still managing to keep up to date data even though the API isn't working.
Perhaps they're implementing OAuth... I'm curious as to how DotABuff is still managing to keep up to date data even though the API isn't working.
They are pretending to be a client and spoofing the request packets. Whether or not this is circumventing the API is up for Valve to decide. I can't blame them for doing it though.
Okay so its completely fine to give users the key generation link, tell them to enter a bogus domain and enter the key in the tool settings? That's good news, then!There's nothing stopping you from doing that. I'm assuming by "non-web-based" you mean a desktop application and not something that runs in a browser. Any app that uses this api would obviously need to be connected to the internet, but nothing forces it to be running in a web browser. The domain name section you fill in when requesting a key isn't used to restrict that key's access to a particular domain. It's just for Valve's own purposes, presumably so they can have an idea of what/how many sites are using the service.
Edit: If you're worried about including your key in an application (certainly a valid concern!), then you could set up a server for your application and have your application access your server, which then accesses the webAPI using your key. That way you wouldn't have to worry about someone "stealing" your key from your application.
I don't have to supply any headers, then, just an InternetOpen/InternetOpenUrl will do?
Making every user generate their own API key will remove Valve's ability to monitor the consumption of their API by your application, which is a major reason for an API key.
Any non-web application will have some sort of library or method to make an HTTP request, even if it is not a "web application". Use that and generate one API key for your application.
Yea.. and if one user abuses it, no one can use it anymore because it gets blocked.. also users could exctract the API key and use it in anyway they want. Also Valve would see large amount of use of that one API key from different IP addresses and would probably block it also. Every user should get it's own API key. If they choose to use it in a certain application, its their responsibility.
maybe Zoid could comment on the issue.
What? I think you are confused on some basic concepts. The user would never see the API key, it would not be able to be abused or extracted. Every user should not get their own API key.
edit: I was incorrect here, the API key would be able to be extracted by someone with the desire and tools.
Last edited by walkingcarpet; 09-15-2012 at 11:22 AM.